Photo of Torben Hansen

A TechBlog by Torben Hansen


Freelance Full Stack Web Developer located in Germany.
I create web applications mainly using TYPO3, PHP, Python and JavaScript.
Home Archive Tags

From double to tripple: Preventing unintended opt-in / opt-out confirmations

Today, double opt-in is the de facto standard for web services that require user subscriptions. This process is commonly used for newsletter sign-ups, user account creation or event registration/cancellation.

A typical double opt-in process works as following:

One of the main reasons why double opt-in is used, are compliance reasons, since you need to verify, that the user did really subscribe to the service. Additionally, the reduction of spam, hardening of user trust or the reduction of complaints may be reasons to use a double opt-in process.

The problem with double opt-in / opt-out

The double opt-in / opt-out process can become problematic in terms of email security due to the behavior of email security gateways and virus/malware protection services. These security systems may automatically check and open links in emails to scan for potential threats, which can inadvertently interfere with the double opt-in / opt-out process and lead to the following problems:

As an example, my TYPO3 extension sf_event_mgt allows users to register for events. To ensure that the registration is intentional, a confirmation email containing both a confirmation link and a cancellation link is sent to the user. However, when this email is processed by an email security gateway, it can happen that both the confirmation and cancellation links are automatically clicked. This can be frustrating for users and leads to unwanted support requests and concerns about the functionality of the extension.

Why you should use tripple opt-in / opt-out

A tripple opt-in / opt-out process addresses the issues found in the double opt-in / opt-out process by adding an additional layer of verification. This third step involves a final verification action, such as clicking a confirmation link or completing a confirmation form, which is displayed after the user clicks the initial action link in the email. This step requires a manual action from the user, ensuring the intent of the action is deliberate and authentic.

In version 7.5.0 of my TYPO3 extension sf_event_mgt, I have implemented a tripple opt-in process for event registration and a tripple opt-out process for event cancellation. This feature can be optionally activated via TypoScript configuration.

The tripple opt-in process ensures that users confirm their registration through three distinct steps, enhancing the security and validity of the registration. Similarly, the tripple opt-in process requires users to confirm their cancellation through three steps, preventing unintended cancellations. This additional layer of verification helps avoid issues caused by automatic link clicks from email security gateways, enhancing user experience and reducing support requests.